HK1111531B - Method and system providing scrambled content - Google Patents
Method and system providing scrambled content Download PDFInfo
- Publication number
- HK1111531B HK1111531B HK08101991.9A HK08101991A HK1111531B HK 1111531 B HK1111531 B HK 1111531B HK 08101991 A HK08101991 A HK 08101991A HK 1111531 B HK1111531 B HK 1111531B
- Authority
- HK
- Hong Kong
- Prior art keywords
- key
- stream
- data
- value
- decryption key
- Prior art date
Links
Description
Technical Field
The present invention relates to a method and system for providing scrambled data.
Background
The invention relates to a method of providing scrambled data, comprising:
providing a stream of data units based on a sequence of plaintext data units by at least: subjecting at least a portion of at least some of the plaintext data units to a cryptographic operation employing a first encryption key, such that a first segment of the stream of data units comprises data units containing ciphertext obtained using a first value of the first encryption key, and such that a second segment comprises data units containing ciphertext obtained using a second value of the first encryption key, and associating the data units with scrambling state identification data indicative of a state of a scrambling operation applicable to the associated data units, wherein the first encryption key and a corresponding first decryption key form a key pair, the method further comprising:
providing a stream of key messages, wherein each key message carries at least key information that makes a value of a first decryption key available to an authorized decoder, the stream of key messages and the stream of data units being synchronized,
associating each data unit comprising a ciphertext obtained using an arbitrary value of the first encryption key with scrambling state identification data comprising an identifier value associated with the first decryption key,
associating data units in a third segment separating the first segment and the second segment with scrambling state identification data lacking an identifier value associated with the first decryption key, an
Key information is provided in at least one key message coincident with one of the first and third segments (coincide) to enable an authorized decoder to obtain a value of the first decryption key corresponding to the second value of the first encryption key.
The invention also relates to a system for providing scrambled data, comprising:
an input for receiving a stream of plaintext data,
an output for providing a stream of data units based on the plaintext data,
at least a first cryptographic system for performing a cryptographic operation on at least a part of the data unit using a first encryption key, said first encryption key forming a key pair with a corresponding first decryption key,
a control system for providing at least some data units in a first section of the plaintext data stream for inclusion in a first section of the stream of data units together with a first value of a first encryption key to a first cryptographic system and at least some data units in a second section of the plaintext data stream for inclusion in a second section of the stream of data units together with a second value of the first encryption key to the first cryptographic system,
a system for providing a stream of key messages carrying key information enabling an authorised decoder to obtain a value of a first decryption key, an
A system for synchronously providing the stream of key messages and the stream of data units to an authorized decoder,
wherein the system is arranged to associate scrambling state identification data comprising an identifier value associated with the first decryption key with each data unit obtained by performing a cryptographic operation using the first encryption key, to associate data units in a third segment of the stream of data units separating the first and second segments with scrambling state identification data lacking the identifier value associated with the first decryption key,
and including into the stream of key messages at least one key message which is superposed with one of the first and third sections and carries a second value making the first decryption key available to authorised decoders.
The invention also relates to a method of decoding scrambled data, comprising:
obtaining a stream of data units associated with scrambling state identification data indicative of a state of a scrambling operation applicable to the associated data unit,
obtaining a stream of key messages synchronized with the stream of data units,
cause successive values of the first decryption key to be generated from respective sets of key information in at least some key messages in the stream of key messages, an
At least a portion of any data unit associated with the scrambling state identification data including the first identifier value is subjected to a cryptographic operation employing a first decryption key, wherein a value of the first decryption key that is saved as a current value is applied.
The invention also relates to a system for decoding scrambled data, comprising:
an interface for obtaining a stream of data units associated with scrambling state identification data indicative of a state of a scrambling operation applicable to the associated data unit,
and the interface is adapted to obtain a stream of key messages synchronized with said stream of data units,
wherein the system is arranged to obtain successive values of the first decryption key from respective sets of key information in at least some of the key messages in the stream of key messages, an
Wherein the system is further arranged to apply a decryption operation to at least some parts of the data unit associated with the scrambling state identification data including the first identifier value using the first decryption key, wherein a value of the first decryption key stored as a current value is applied.
The invention also relates to a computer program.
Corresponding examples of such methods and systems are available from 1996, month 10, ETSI technical report ETR 289, "Digital Video Broadcasting (DVB); support for use of screening and Conditional Access (CA) with digital broadcasting systems ". The technical report states the addition of a Conditional Access (CA) element to the international standard ISO/IEC 13818-1 (MPEG-2). In the case of TS level scrambling, the scrambling algorithm is run on the payload of Transport Stream (TS) packets. The construction of PES packets is used to implement PES level scrambling with the same scrambling algorithm. The Program Specific Information (PSI) section of the MPEG-2 standard contains syntax elements that define where to find the CA system information. The CA table and the Program Map Table (PMT) contain CA descriptors having CA _ PID fields that reference PID values of TS packets for carrying CA information such as EMMs (entitlement management messages) and ECMs (entitlement control messages). For scrambling the application of MPEG-2 segments, the segment scrambling is at TS level and indicated (signal) by a scrambling control field bit. The MPEG-2 system standard contains a scrambling control field of two bits, both in the TS packet header and in the PES (program elementary stream) header. The first scrambling control bit indicates whether the payload is scrambled. The second bit indicates the use of even or odd keys.
The problems with the known method are: two bits must be used in order to round the control word (i.e., key) used in the common scrambling algorithm. This is so because the time required to load a new control word in the decoder cannot be accurately determined, but varies from decoder to decoder, and because the decoder needs to know when to start using a new control word. Therefore, it is necessary to indicate three states, namely an odd control word, an even control word and no scrambling.
Disclosure of Invention
It is an object of the present invention to provide a method and system of the above type for achieving more efficient synchronisation key changes.
This object is achieved with a method of providing scrambled content according to the invention, the method being characterized in that: for each data unit in the sequence included in the third section, subjecting at least a portion of the plaintext data units to a key operation employing the first encryption key is suspended.
Note that when a symmetric algorithm is employed, the first decryption key and the corresponding first encryption key with which the key pair is formed will be numerically the same.
Because the third segment separates the first segment and the second segment and, for each data unit in the sequence included in the third segment, pauses from cryptographic operations employing the first key, there is a certain "quiet period" during which the second value of the first key can be loaded. Since each data unit including the ciphertext obtained using an arbitrary value of the first encryption key is associated with scrambling state identification data including an identifier value associated with the first decryption key, it is only necessary to be able to indicate a second state relating to the algorithm using the first encryption key, i.e. the state relating to the data unit in the third section. Because the stream of key messages and the stream of data units are synchronized, and because at least one key message that coincides with one of the first and third segments carries key information that makes a second value of the first decryption key available to an authorized decoder, the decoder is able to obtain the second value before the second segment of the data unit, and a change in the second value indicates the start of a new key period for the first decryption key. In effect, the key message is used to replace the data bits associated with the data unit to indicate a change between the odd and even key periods associated with the first decryption key.
One embodiment includes subjecting at least a portion of at least some units of plaintext data to a cryptographic operation employing a second encryption key that forms a key pair with a corresponding second decryption key.
This has the following effect: a level of protection is increased against so-called "control word hacking", which is a form of hacking in which an authorized receiver redistributes a decryption key to an unauthorized receiver. The use of first and second encryption keys increases the amount of key information that must be redistributed.
In one embodiment, the stream of data units is divided into segments corresponding to periods of control words,
obtaining at least a portion of at least one of the data units in each segment corresponding to one period of the control word by subjecting at least a portion of the plaintext data units to a cryptographic operation employing a second encryption key,
wherein a different value of the second encryption key is used for each control word period, an
Wherein key information is provided in a key message of the stream of key messages that coincides with a segment of the stream of data units preceding the segment corresponding to the particular control word period, which key information makes available to an authorized decoder a value of the second decryption key corresponding to the value of the second encryption key for the particular control word period.
This has the following effect: the level of protection against control word piracy is increased. The first and second decryption keys must be continuously updated.
In one embodiment, for each two consecutive control word periods, scrambling state identification data comprising one of at least two values associated with the second decryption key is associated with each data unit in the stream of data units corresponding to a first one of the two consecutive control word periods obtained by subjecting at least a portion of the plaintext data units to a cryptographic operation employing the second encryption key, and
wherein scrambling state identification data comprising a different one of the values associated with the second decryption key is associated with each data unit in the stream of data units corresponding to the second of the two consecutive control word periods that is obtained by subjecting at least a portion of the plaintext data units to a cryptographic operation employing the second encryption key.
This allows only four states to be defined which will be indicated in the scrambling state identification data. The data unit may not require any keys, requiring either the odd second decryption key, the even second decryption key, or the current value of the first decryption key. In principle, two bits of scrambling state identification data will suffice for signaling purposes. Although "quiet periods" are used to cause changes in the decoder to the first decryption key, this is not necessary for the second decryption key. Thus, the cryptographic algorithm for the plaintext data units need not be completely suspended.
In one embodiment, at least one key message in the stream of key messages carries key information that makes the value of the first decryption key and the value of the second decryption key available to an authorized decoder.
This is an efficient way of providing key information. This is particularly useful where the key message is provided in an independently identified data packet stream, such as an MPEG-2 transport stream. Only one packet identifier needs to be assigned to a data packet carrying key information for accessing data units in a particular stream.
In one embodiment, each unit of plaintext data is subjected to at most only one of a cryptographic operation employing a first encryption key and a cryptographic operation employing a second encryption key.
The effect is that there are no combined scrambling states, so that only four states need to be indicated in the scrambling state identification data.
In one embodiment, the stream of data units is provided as a multiplex of at least two streams of transport stream packets, each transport stream packet comprising a header and a payload, wherein each header comprises a transport stream identifier, wherein the identifier value associated with the first decryption key is constituted by a first value of the transport stream identifier.
This embodiment has the following advantages: in accordance with existing standards for data broadcasting, such as the digital video broadcasting standard, but which require adjustment of the decoder.
According to another aspect of the invention, a system for providing scrambled data is characterized by: the control system is arranged to suspend applying cryptographic operations employing the first encryption key to any portion of the plaintext data units in a third segment of the stream of plaintext data that corresponds to the third segment of the stream of data units.
In an embodiment, the system is arranged to perform the method of providing scrambled data according to the invention.
According to another aspect, the method of decoding scrambled data according to the invention is characterized in that: when a set of key information is obtained for generating a new value of the first decryption key that is different from the current value of the first decryption key, the value of the first decryption key that is held as the current value of the first decryption key is caused to be replaced with the new value of the first decryption key, and is characterized in that
At least some portions of data units associated with only scrambling state identification data including the first identifier value are subjected to a cryptographic operation employing the first decryption key.
By causing the value of the first decryption key held as the current value of the first decryption key to be replaced with the new value of the first decryption key when a set of key information is obtained for generating the new value of the first decryption key that is different from the current value of the first decryption key, the method allows a provider of scrambled data to indicate a change in the value of the first decryption key only by providing a key message with key information for obtaining the new value at a point that coincides with a segment of the stream of data units that precedes the segment of the stream of data units to which the new value applies. To ensure that the data unit in such a preceding segment is not subject to any cryptographic operation using the new value of the first decryption key, the provider may associate scrambling state identification data comprising any identifier value other than the first identifier value with the data unit in the preceding segment.
One embodiment includes subjecting at least some portions of data units associated with scrambling state identification data that includes any of at least one identifier value associated with a second decryption key but different from the first identifier value to a cryptographic operation employing the second decryption key.
Therefore, more key information is needed to access the data units in the stream, making control of word pirating more difficult.
One embodiment includes obtaining a stream of data units, the stream being partitioned into segments corresponding to periods of control words,
the value of the second decryption key that is saved as the current value of the second decryption key is used in a cryptographic operation employing the second decryption key,
obtaining a new value of a second decryption key from key information in a key message in the stream of key messages, and replacing a current value of the second decryption key with the new value of the second decryption key upon detection of a control word cycle transition, wherein said transition is detected by: detecting that an identifier value associated with the second decryption key in scrambled identification data associated with a data unit in a segment of the stream of data units corresponding to the control word period changes from a first value to a second value.
Thus, the method allows the provider of the stream of data units to continually recycle the value of the second decryption key while adding additional protection by additionally requiring the presence of the first decryption key.
In one embodiment, the second decryption key is obtained by: obtain a key message carrying encryption key information and provide at least the encryption key information to a secure decryption module arranged to return a second decryption key.
The deposits decryption module may be a separate physical device, for example provided as a tamper-resistant or tamper-proof device with an integrated circuit (e.g. a smart card). It may also be a software module within the decoder, made relatively tamper-resistant, for example by obfuscated code or other such techniques. This embodiment allows for a separation of functions. The key information may be more tightly protected than the stream of data units. At least the encryption key information is provided from the decoder system to the secure decryption module. The secure decryption module has a higher level of security than the decoder system, since other protection features are added in addition to the protection features of the decoder system.
In one embodiment, a unit of data is subjected to a cryptographic operation using a first decryption key by providing at least a portion of the unit of data to a secure decryption module and providing at least one of a plurality of sets of key information in a key message to the secure decryption module.
This has the following advantages: the first decryption key may be retained in the secure decryption module. Since only some parts of the data units associated with the scrambling state identification data comprising the first identifier value are subject to a cryptographic operation with the first decryption key, it is possible to provide only some data units to the secure decryption module. Thus, the secure decryption module need not be adapted to process the entire stream of data units.
According to another aspect, the system for decoding scrambled data according to the invention is characterized in that: the system is arranged to, when a new value of the first decryption key is obtained that is different from the current value of the first decryption key, replace the value of the first decryption key that is held as the current value of the first decryption key with the new value of the first decryption key, and apply a decryption operation employing the first decryption key only to data in data units associated with scrambling state identification data that includes the first identifier value.
In an embodiment, the system comprises a decoder arranged to perform the method of decoding scrambled data according to the invention.
According to another aspect, a computer program according to the invention comprises a set of instructions capable, when included in a machine-readable medium, of causing a system having information processing capabilities to perform a method of providing scrambled data or a method of decoding scrambled data according to the invention.
Drawings
The invention will be explained in more detail below with reference to the drawings, in which:
fig. 1 schematically shows a head-end from which scrambled data is provided;
fig. 2 shows a part of an imaginary stream of a transport stream packet for explaining a first embodiment of the present invention;
fig. 3 shows a part of an imaginary stream of transport stream packets for explaining a second embodiment of the present invention;
fig. 4 shows a part of an imaginary stream of the transport stream packets for explaining a third embodiment of the present invention;
fig. 5 is a schematic diagram of a system including a secure decryption module and a decoder.
Detailed Description
A head-end system 1 according to the Simulcrypt standard for digital video broadcasting is schematically represented in fig. 1. The head-end system 1 is only one example of a system for providing scrambled data. The head-end system 1 shown in fig. 1 provides a stream of data packets that are broadcast. In other embodiments of the method of providing scrambled data, the stream of data units is written in a file on a data carrier, such as a Digital Versatile Disc (DVD) or a compact disc. While the headend system is typically used to broadcast transport stream packets according to the MPEG-2 systems standard (international standard ISO/IEC 13818-1) via terrestrial, satellite or cable broadcast systems, the methods outlined herein may also be used to provide scrambled data in Internet Protocol (IP) packets for broadcast, multicast or point-to-point transmission to receivers in an appropriate network.
The head-end system 1 comprises a storage system 2 arranged to provide one or more elementary streams of content data belonging to a program. These elementary streams include components such as video and audio elements of the program. In this context, a program is a collection of data streams. Those of the data streams provided with a time base have a common time base intended for synchronous presentation as indicated by the timing information in the elementary stream.
The multiplexing system 3 enables time multiplexing of input data and provides an MPEG-2 transport stream as output. An MPEG-2 transport stream is composed of a series of transport stream packets (TS packets) with a header and a payload that carries units of data from a particular elementary stream.
In addition to the elementary streams from the storage system 2, the multiplexing system 3 receives a stream of Program Specific Information (PSI) from a PSI generator 4, a stream of Entitlement Control Messages (ECMs) from an ECM generator 5 and a stream of Entitlement Management Messages (EMMs) from an EMM generator 6. The conditional access provider (CA provider) operates a custom PSI generator 7 which provides program specific information to the PSI generator 4. Several CA provider's systems (not shown) may be included in the head-end system 1, so that both PSI generator 4 and custom PSI generator 7 are present. The illustrated system associated with the CA provider comprises a custom PSI generator 7, an ECM generator 5 and an EMM generator 6.
The head-end system 1 further comprises a CW generator 8 for generating a sequence of encryption keys, here referred to as second encryption keys or control words. The network management system 9 controls the operation of a variety of different components.
The control word generated by CW generator 8 is provided to synchronization system 10. The synchronization system 10 provides control words to the ECM generator 5 which in turn receives ECMs. Each ECM includes at least one set of key information from which an authorized decoder can obtain the control word.
The synchronisation system 10 also supplies the control words to a scrambling system 11, which scrambling system 11 scrambles the MPEG-2 transport stream obtained as output from the multiplexing system 3. One function performed by the synchronization system 10 is to synchronize the ECM stream with the scrambled MPEG-2 transport stream. Synchronization is preferably achieved using time stamps in the MPEG-2 TS packets to provide a common time base for the ECM-carrying TS packets and the scrambled TS packets. Synchronization may be achieved in the order in which the stream of TS packets carrying ECMs and the stream of scrambled TS packets are multiplexed, in combination with a system for maintaining the order of the TS packets in the multiplex. It is observed that in other embodiments the key message is played out on a separate channel and the reference time is used to synchronize the stream of key messages and the stream of scrambled data units.
In the illustrated embodiment, the ECM carries data representing the control word encrypted under the session key. The ECM generator 5 obtains the session key from the EMM generator 6, wherein the EMM generator 6 includes the session key in the EMM directed to the subscriber or groups of subscribers. The EMMs are sent to the subscribers in a well-known manner in the MPEG-2 transport stream generated by the multiplexing system 3.
A first stream 12 of scrambled TS packets 13 produced by a system comprising a synchronisation system 10 and a scrambling system 11 is illustrated in figure 2. The first stream 12 is divided into segments corresponding to control word cycles 14a-14 f. To simplify the illustration, in the present example, each segment corresponding to the control word period 14 is composed of two TS packets 13. In a practical scenario, the number of TS packets 13 per control word period 14 will be larger.
Each TS packet 13 has a header 15 and a payload 16. Only the payload 16 of the TS packet 13 is scrambled. The fields in the header are not described in detail herein, except as related to the description herein. The complete construction of the head 15 will be known from the international standard ISO/IEC 13818-1. The Packet Identifier (PID) field 17 contains a unique number for identifying an elementary stream of a single program or multi-program transport stream. ECMs are carried in TS packets 13 along with their own unique PID values. The program map table generated by the custom PSI generator 7 and/or PSI generator 4 links this PID value to the PID values of elementary streams that have been scrambled using the key for which the ECM carries the key information.
The header 15 also includes scrambling state identification data in the form of a transport scrambling control field 18. The size of the transport scrambling control field 18 is two bits.
The header 15 also includes a Program Clock Reference (PCR) field 19. The PCR field 19 indicates the scheduled arrival time of the agreed bytes of the TS packet 13. In one embodiment, the PCR field 19 is used to synchronize the ECM stream and the first stream 12 of TS packets, providing a common time base for both streams. Thus, the ECM can coincide with one of the control word periods 14, although it is actually obtained by the decoder before any TS packet 13 in the first stream 12 within the segment corresponding to that control word period 14.
In fig. 2, the payloads 16 of the un-shaded TS packets 13 in the first stream 12 have all been scrambled by applying a cryptographic operation using control words to them. A different value of the control word is used for each control word cycle 14. Control word periods 14 may be viewed as alternating odd control word periods 14a, 14c, 14e and even control word periods 14b, 14d, 14 f. In all embodiments described herein, the TS packet 13 obtained by subjecting at least a part of the payload 16 of the corresponding plaintext TS packet to a scrambling operation under a control word has one of values "10" and "11" in the transport scrambling control field 18. The value "10" applies to the even control word periods 14b, 14d, 14 f. The value "11" applies to the odd control word periods 14a, 14c, 14 e. Thus, a change of two values in the transport scrambling control field 18 identifies a transition from one control word period to the next.
The ECM stream is configured to satisfy: at least one ECM coincides with each control word period 14. The ECM or ECMs carry at least the following key information: this key information allows the authorised decoder to obtain the value of the control word valid in the control word period 14 following the control word period 14 in which it coincides. Optionally it may also include the value of the control word valid within the control word cycle 14 that coincides with it. In this case, an identifier that associates key information to an appropriate one of consecutive control word periods is provided to the plurality of sets of key information.
In the illustrated embodiment, the selected TS packet 13 in the first stream is obtained by subjecting at least a portion of the plaintext packet payload 16 to a so-called layer 1 cryptographic operation employing a layer 1 encryption key. In fig. 2, such TS packets 13 are indicated by hatching. Discrete segments within the first stream 12 corresponding to layer 1 key periods 20a, 20b, 20c may be identified. The segments corresponding to the layer 1 key period 20 are not contiguous but are separated by segments corresponding to so-called "quiet periods" 21a, 21 b. The segments corresponding to the layer 1 key period 20 and the quiet period 21 form a complete partition of the first stream, parallel to the partition into segments corresponding to the control word periods 14.
Within each layer 1 key period 20, the TS packet payload 16 is selected at a predetermined encryption rate at the value of the layer 1 encryption key associated with that layer 1 key period. During the quiet period 21, the operation is suspended until the start of the next layer 1 key period. In each section of the first stream 12 corresponding to the layer 1 key period 20, the TS packet 13 obtained as a result of performing a cryptographic operation employing the layer 1 encryption key includes a value of "01" in the transport scrambling control field 18.
For each control word period 14, at least one ECM that coincides with the control word period 14 further comprises key information for obtaining a value of a layer 1 decryption key valid for the next control word period 14 and one of the next layer 1 key periods (depending on the implementation).
The cryptographic operations that employ the layer 1 encryption key vary depending on the implementation chosen. In one embodiment, the cryptographic operation involves a block chain mode cipher in which the packet payload 16 is partitioned into multiple blocks of the same size, for example 8 or 16 bytes in size, with only the first block in the sequence of blocks being encrypted under the layer 1 encryption key. The AES algorithm provides a suitable cipher for block chain mode. Since each TS packet 13 is also part of a segment corresponding to a control word period 14, the associated control word may be used, for example, as an encryption key for other blocks. Therefore, both a layer 1 decryption key and a control word are required in order to descramble such a TS packet 13. In another embodiment, a segment of the packet's payload 16 carries an additional key encrypted under the layer 1 encryption key, with the remainder of the payload 16 being encrypted under the additional key.
In the embodiment shown in fig. 2, P coincides with a first quiet period 21a preceding the second layer 1 key period 20b1The point issues a first ECM with a layer 1 decryption key for a second layer 1 key period 20 b. P coinciding with a second quiet period 21b immediately preceding a layer 1 key period 20c2The point issues a first ECM with a layer 1 key for a layer 1 key period 20 c. The effect is that the decoder can immediately start loading the next layer 1 decryption key. In another embodiment, the first ECM with the layer 1 decryption key for a particular layer 1 key period coincides with the previous layer 1 key period. In order for the decoder to function properly, it must detect that the key information has changed, and it must detect the boundary between the first quiet period 21a and the second layer 1 key period 20 b. It may do so by detecting that TS packets 13 having a value of "01" in the transport scrambling control field 18 are, for example, not being present at the desired rate.
Common to all embodiments is that the control word and layer 1 key values are recycled, but only two bits of scrambling state identification information are needed to synchronize the key change and key message. The use of two keys means that the amount of key information required to descramble the first stream 12 is relatively large. As shown, the control word period 14 and the layer 1 key period 20 are of different lengths. A segment of the first stream 12 corresponding to the layer 1 key period comprises more TS packets 13 than a segment corresponding to the control word period 14. That is, the layer 1 key is cycled through at a lower rate than the control words.
Fig. 3 illustrates a variation of the method shown in fig. 2. The second stream 22 of TS packets 13 is divided into segments corresponding to control word periods 23 and also into segments corresponding to alternating layer 1 key periods 24 and quiet periods 25. The shaded TS packets 13 may be identified by a value of "01" in the transport scrambling control field 18. A cipher that has been passed through subjecting at least a portion of the clear packet payload 16 to at least the current value of a layer 1 encryption keyThe operations are performed to obtain the packets. A different value is used in each layer 1 key period. The new value of the corresponding layer 1 decryption key is sent in an ECM that coincides with a segment of the second stream 22 corresponding to a quiet period 25 preceding the layer 1 key period 24 in which the new value of the corresponding layer 1 decryption key can be applied. The embodiment shown in fig. 3 differs from the embodiment shown in fig. 2 in that: the transition between the quiet period 25 and the layer 1 key period 24 coincides with the transition between the control word periods 23. The effect is that the decoder can determine the start and end of the layer 1 key period by counting down the number of control word periods 23 that are either predetermined or transmitted separately. Otherwise, what has been described with reference to fig. 2 also applies to fig. 3. In particular, the insertion point P1、P2Coinciding with the segment corresponding to the quiet period 25 immediately preceding the segment corresponding to the layer 1 key period 24 in the second stream 22. At the insertion point P1、P2A first ECM is sent carrying key information for obtaining a new value of the layer 1 key.
Fig. 4 illustrates another embodiment applying two layers of encryption. In this case the third scrambled data stream 26 is provided as a multiplex of at least two streams of TS packets 13. The TS packets 13 obtained by subjecting the plaintext packet payloads 16 to cryptographic operations employing layer 1 encryption keys form a first component stream 27, identified by a unique value of the PID field 17. The second component stream 28 is itself a multiplex of elementary streams of TS packets 13 having different values in the PID field 17, as is the case with the first and second streams 12 and 22 of figures 2 and 3, the second component stream 28 comprising only TS packets 13 having different values in the PID field 17 than the one or more values identifying the TS packets 13 in the first component stream 27.
In fig. 4, the third scrambled data stream 26 may be considered to be divided into segments corresponding to odd and even control word periods 29. Those TS packets 13 in the second component stream 28 that are scrambled only by applying cryptographic operations involving control words are not shaded in the figure. What is described in relation to such TS packets 13 in the embodiments of fig. 2 and 3 applies equally to the embodiment of fig. 4. In particular, they all have a transport scrambling control field with a value of "10" or "11", which value to take depending on whether they are included in the segment corresponding to the even or odd control word period.
The second component stream 28 also includes "dummy packets". These packets may have a transport scrambling control field with a value of "01", but preferably have a value of "00", corresponding to the identifier value assigned to the TS packet 13 that is not scrambled at all. Thus, this embodiment conforms to the existing syntax for MPEG-2 transport streams.
The "dummy packets" act as placeholders for TS packets in the first component stream 27 to facilitate reconstruction of the clear transport stream originally used to generate the third scrambled data stream 26. Embodiments are also possible in which the second component stream 28 does not include "dummy packets". At this time, the decoder must change the timing information when inserting the plain TS packet 13 obtained by descrambling the first component stream 27 into the plain stream obtained by descrambling the second component stream 28.
As in the case of the first and second streams 12, 22 of TS packets 13, the third stream 26 may be considered to be divided into alternating layer 1 key periods 30 and quiet periods 31. Point R1、P2Indicating where the new layer 1 decryption key was first issued. These points P1、P2Coinciding with the quiet period 31.
An example of a receiver system 32 for decoding streams obtained from the scrambling system 11 and broadcast over a network (not shown) is illustrated in fig. 5. The receiver system 32 comprises a decoder 33 and a portable security device 34, such as a smart card. A tamper-resistant software module may be installed in the decoder 33 in place of the detachable security device 34 to provide equivalent functionality.
The decoder 33 receives the scrambled data stream and ECM stream via a network interface 35 and a tuner/demodulator 36. The demultiplexer 37 filters out the TS packets 13 belonging to a certain program according to the instruction of the controller 38. As is well known, the program map table in the TS packet 13 stream contains the PID value in the PID field 17 in the header 15 of the necessary TS packet 13. In this way, a stream of ECMs and one or more streams of scrambled TS packets 13 are obtained.
The ECM is passed to detachable secure device 34 via interface 39 of the decoder and interface 40 of detachable secure device 34. Processor 41 in detachable secure device 34 decrypts the key information contained in the ECM to obtain the control word and the layer 1 decryption key. Detachable security device 34 also includes a memory unit 42 for storing a key.
The control words are returned to the decoder 33 via the interfaces 39, 40 in a known manner and passed to the descrambling device 43. The descrambling device 43 decrypts under a control word the payload 16 of all TS packets 13 containing the values "10" and "11" in the transport scrambling control field 18.
In one embodiment, the decoder 33 passes the TS packets 13 obtained by subjecting at least a portion of the corresponding plaintext TS packets 13 to a cryptographic operation employing a layer 1 encryption key to the separable secure device 34. The detachable secure device 34 performs an inverse cryptographic operation using the corresponding layer 1 decryption key-it holds this key available in the memory unit 42-and returns the resulting TS packet 13 to the decoder 33, where it is inserted by the decoder 33 into the stream where it was originally fetched. The TS packets to be provided to detachable secure device 34 are identified by transmitting a value of "01" in scrambling control field 18, where the stream has one of the formats discussed above with reference to fig. 2 and 3.
In one variant, only the segment of the payload 16 of each TS packet 13 associated with scrambling state identification data including an identifier associated with the layer 1 key is provided to the detachable secure device 34. The segment is subject to a cryptographic operation under a layer 1 decryption key. The result of the cryptographic operation is returned to the descrambling device 43, which device 43 subjects at least one segment of the same payload 16 to the associated cryptographic operation on the basis of the result obtained from the detachable security device. The effect is that the detachable security device 34 acts as an access token without having to perform extensive processing on the TS packets 13. Nevertheless, the TS packets 13 remain fairly secure. In one embodiment, the results obtained from the detachable secure device 34 are used as a key to perform a decryption operation on at least one other segment of the payload 16 of the TS packet. In another embodiment, the result is the first block of the plaintext payload 16, and a cipher in block chain mode is used to give the complete plaintext payload 16. The first block is used as an initialization vector. In such an embodiment, the layer 1 decryption key is also provided to the descrambling device 43 for use in the cipher for the remaining blocks. In another variant, a value derived from but different from the layer 1 decryption key is provided to the descrambling device 43. In another variant, the descrambling device 43 uses as the decryption key in the cipher a control word valid for the control word period corresponding to the segment from which the TS packet 13 was originally taken.
ECMs carrying key information for obtaining layer 1 decryption keys are processed as soon as they arrive. When a new value of the layer 1 decryption key is obtained, the value of the layer 1 decryption key previously saved as the current value is immediately replaced with the new value and applied to the next TS packet 13 that requires the use of the layer 1 decryption key. In one embodiment, each value of the layer 1 decryption key obtained from the ECM is loaded into the memory unit 42 of the detachable secure device, and in some embodiments is provided to the decoder 33, without any verification. In another embodiment, it is only applied if it is different from the value that was saved as the current value. This has the effect of limiting the number of key transfers between the decoder 33 and the detachable secure device 34 in embodiments where the decoder 33 uses a layer 1 key. In other embodiments, it simply limits the number of transfers of information to and from memory unit 42.
If the stream obtained by the decoder 33 has the format shown in fig. 4, then the filter is set up to obtain the PID value corresponding to the first component stream 27. The payload 16 of the TS packets 13 belonging to the first component stream 27 is subjected to a decryption operation involving a layer 1 decryption key. This involves one of the operations described above with reference to fig. 2-3 and 5. The decoder 33 descrambles the first and second component streams 27, 28, respectively. Then, the "dummy packet" is replaced with the plain TS packet 13 obtained by applying the decryption operation using the layer 1 decryption key, using a FIFO (first in first out) buffer (not shown). The PID values are adjusted so that the stream leaving the FIFO buffer contains a smaller PID value.
As described above, the decoder 33 is to detect the PID value associated with the TS packet 13 to be subjected to cryptographic operations employing the layer 1 decryption key, but does not receive a data stream having, in a variant, duplicate TS packets 13 as illustrated. In this case, the plain TS packets 13 obtained from the TS packets 13 with the particular PID value are remapped into the multiplexed second component stream forming the scrambled data stream.
The invention is not limited to the embodiments described in detail herein, but may be varied within the scope of the accompanying drawings. For example, cryptographic operations that employ layer 1 encryption keys may include the generation of a digital signature and attaching it to the TS packet payload without encryption of the actual payload. As is known, the signature generation process applies a one-way function to part or all of the packet payload and in this case encrypts the result under a layer 1 encryption key. The corresponding decryption operation includes decrypting the signature under a layer 1 decryption key that forms a key pair with the layer 1 encryption key.
It is also observed that in most embodiments, the stream of key messages is multiplexed to form part of the stream of scrambled TS packets. In such embodiments, the key message will coincide with a particular segment in the stream of scrambled TS packets, either as part of that segment, or by containing timing or continuity information linking it to that segment.
Claims (16)
1. A method of providing scrambled data, comprising:
providing a stream of data units (12; 22; 26) based on a sequence of plaintext data units by: subjecting at least a portion of at least some of the plaintext data units to a cryptographic operation employing a first encryption key, such that a first segment of the stream of data units comprises data units containing ciphertext obtained using a first value of the first encryption key, and such that a second segment comprises data units containing ciphertext obtained using a second value of the first encryption key, and associating the data units with scrambling state identification data (17, 18) indicative of a state of a scrambling operation applicable to the associated data units, wherein the first encryption key and a corresponding first decryption key form a key pair, the method further comprising:
providing a stream of key messages, wherein each key message carries at least key information enabling an authorized decoder (33) to obtain a value of a first decryption key, the stream of key messages and the stream of data units being synchronized,
associating each data unit comprising a ciphertext obtained using an arbitrary value of the first encryption key with scrambling state identification data comprising an identifier value associated with the first decryption key,
associating data units in a third segment separating the first segment and the second segment with scrambling state identification data lacking an identifier value associated with the first decryption key, an
Providing key information in at least one key message that coincides with one of the first and third segments, such that an authorized decoder can obtain a value of the first decryption key that corresponds to the second value of the first encryption key, characterized by:
for each data unit in the sequence included in the third section, pausing for subjecting at least a portion of the plaintext data units to a cryptographic operation employing the first encryption key.
2. The method of claim 1, comprising: subjecting at least a portion of at least some of the units of plaintext data to a cryptographic operation employing a second encryption key, the second encryption key and a corresponding second decryption key forming a key pair.
3. The method according to claim 2, wherein the stream of data units is divided into segments corresponding to control word periods (14; 23; 29),
obtaining at least a portion of at least one data unit in each segment corresponding to a control word period (14; 23; 29) by subjecting at least a portion of the plaintext data units to a cryptographic operation employing a second encryption key,
wherein a different value of the second encryption key is used for each control word period (14; 23; 29), and
wherein key information is provided in a key message in the stream of key messages coinciding with a segment preceding the segment corresponding to a particular control word period (14; 23; 29) in the stream of data units, which key information makes available to an authorised decoder (33) a value of a second decryption key corresponding to the value of the second encryption key for the particular control word period.
4. A method according to claim 3, wherein for every two consecutive control word periods (14; 23; 29) scrambling state identification data comprising one of at least two values associated with a second decryption key is associated with each data unit obtained by subjecting at least a part of a plaintext data unit to a cryptographic operation employing a second encryption key in a segment of the stream of data units corresponding to a first period of the two consecutive control word periods (14; 23; 29), and
wherein scrambling state identification data (17, 18) comprising a different one of said values associated with the second decryption key is associated with each data unit obtained by subjecting at least a portion of a plaintext data unit to a cryptographic operation employing a second encryption key in a segment of said stream of data units corresponding to a second period of said two consecutive periods of control words (14; 23; 29).
5. The method of claim 2, wherein at least one key message in the stream of key messages carries key information that makes the values of the first and second decryption keys available to an authorized decoder.
6. The method of claim 2, wherein each unit of plaintext data is subject to at most only one of a cryptographic operation employing a first encryption key and a cryptographic operation employing a second encryption key.
7. The method according to any of claims 1-5, wherein the stream of data units (26) is provided as a multiplex of streams (27, 28) of at least two transport stream packets (13), each transport stream packet (13) comprising a header (15) and a payload (16), wherein each header (15) comprises a transport stream identifier (17), and wherein the identifier value associated with the first decryption key is constituted by a first value of said transport stream identifier (17).
8. A system for providing scrambled data, comprising:
an input for receiving a stream of plaintext data,
an output for providing a stream of data units based on the plaintext data,
at least a first cryptographic system (11) for applying a cryptographic operation employing a first encryption key to at least a portion of the data unit, said first encryption key forming a key pair with a corresponding first decryption key,
a control system (9, 10) for providing at least some data units in a first section of the stream of plaintext data for inclusion in a first section of the stream of data units together with a first value of a first encryption key to the first cryptographic system and at least some data units in a second section of the stream of plaintext data for inclusion in a second section of the stream of data units together with a second value of the first encryption key to the first cryptographic system,
a system (5) for providing a stream of key messages carrying key information enabling an authorised decoder to obtain a value of a first decryption key, and
a system (10) for synchronizing the stream of key messages and the stream of data units to a licensed decoder (32),
wherein the system is arranged to associate scrambling state identification data (17, 18) comprising an identifier value associated with the first decryption key with each data unit obtained by performing a cryptographic operation employing the first encryption key, to associate data units in a third segment of the stream of data units separating the first and second segments with scrambling state identification data lacking the identifier value associated with the first decryption key,
and including into the stream of key messages at least one key message which is superposed with one of the first and third segments and carries a second value making the first decryption key available to authorised decoders,
the method is characterized in that:
the control system is arranged to suspend the application of cryptographic operations employing the first encryption key to any part of a plaintext data unit in a third segment of the stream of plaintext data corresponding to the third segment of the stream of data units.
9. The system of claim 8, arranged to perform the method of claim 1.
10. A method of decoding scrambled data, comprising:
obtaining a stream (12; 22; 26) of data units (16) associated with scrambling state identification data (17, 18) indicating a state of a scrambling operation applicable to the associated data unit (16),
obtaining a stream of key messages synchronized with said stream of data units (12; 22; 26),
cause successive values of the first decryption key to be generated from respective sets of key information in at least some key messages in the stream of key messages, an
Subjecting at least a portion of any data unit (16) associated with scrambling state identification data (17; 18) including a first identifier value to a cryptographic operation employing a first decryption key, wherein the value of the first decryption key stored as a current value is applied,
the method is characterized in that:
when a set of key information is obtained for generating a new value of the first decryption key that is different from the current value of the first decryption key, causing the value of the first decryption key that is held as the current value of the first decryption key to be replaced with the new value of the first decryption key, and by
At least some portions of data units (16) associated only with scrambling state identification data containing the first identifier value are subjected to a cryptographic operation employing the first decryption key.
11. The method of claim 10, comprising: at least some portions of data units (16) associated with scrambling state identification data (18) containing any of at least one identifier value associated with the second decryption key and different from the first identifier value are subjected to a cryptographic operation employing the second decryption key.
12. The method of claim 11, comprising: obtaining a stream (12; 22; 26) of data units (16) divided into segments corresponding to control word periods (14; 23; 29),
the value of the second decryption key that is saved as the current value of the second decryption key is used in a cryptographic operation employing the second decryption key,
obtaining a new value of a second decryption key from key information in a key message of said stream of key messages, and upon detecting a transition during a control word cycle, replacing a current value of the second decryption key with said new value of the second decryption key, wherein said transition is detected by: a change from a first identifier value to a second identifier value associated with a second decryption key is detected in scrambled identification data (18) associated with a data unit (16) in a plurality of segments (12; 22; 26) of a stream (12; 22; 26) of data units corresponding to control word periods (14; 23; 29).
13. A method according to claim 11, wherein the second decryption key is obtained by obtaining a key message carrying encryption key information and providing at least the encryption key information to a secure decryption module (34) arranged to return the second decryption key.
14. The method of any of claims 10-13, wherein the data unit (16) is subjected to a cryptographic operation employing a first decryption key by providing at least a portion of the data unit (16) to a secure decryption module (34) and providing at least one of the plurality of sets of key information in the key message to the secure decryption module (34).
15. A system for decoding scrambled data, comprising:
an interface (35, 36) for obtaining a stream (12; 22; 26) of data units (16) associated with scrambling state identification data (17, 18) for indicating a state of a scrambling operation applicable to the associated data unit (16),
and for obtaining a stream of key messages in synchronization with said stream (12; 22; 26) of data units (16),
wherein the system is arranged to obtain successive values of the first decryption key from respective sets of key information in at least some of the key messages in the stream of key messages, and
wherein the system is further arranged to apply a decryption operation using the first decryption key to at least some parts of the data units associated with the scrambling state identification data (17, 18) including the first identifier value, wherein a value of the first decryption key stored as a current value is applied,
the method is characterized in that:
the system is arranged to: when a new value of the first decryption key is obtained that is different from the current value of the first decryption key, the value of the first decryption key that is held as the current value of the first decryption key is replaced with the new value of the first decryption key, and only data in the data unit associated with the scrambling state identification data that includes the first identifier value is subjected to a decryption operation using the first decryption key.
16. The system according to claim 15, comprising a decoder (33) arranged to perform the method according to any one of claims 10-14.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP06101704.2 | 2006-02-15 | ||
| EP06101704A EP1821538A1 (en) | 2006-02-15 | 2006-02-15 | Method and system providing scrambled content |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1111531A1 HK1111531A1 (en) | 2008-08-08 |
| HK1111531B true HK1111531B (en) | 2011-12-09 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8165293B2 (en) | Method and system providing scrambled content | |
| KR101364463B1 (en) | Method of providing an encrypted data stream | |
| EP2772062B1 (en) | Constructing a transport stream | |
| MXPA04006444A (en) | Partial encryption and pid mapping. | |
| KR100993456B1 (en) | Apparatus and method for achieving partial replication, encryption and decryption of packets, computer readable storage media | |
| JP2010051032A (en) | Partial encryption, and packet identifier mapping | |
| JP2010051030A (en) | Decoding and decryption of partially encrypted data | |
| KR20110066887A (en) | Generation of scrambled data streams | |
| US20110238991A1 (en) | Content decryption device and encryption system using an additional key layer | |
| KR20110081083A (en) | Broadcast of variants of digital signals of conditional access system | |
| KR20040068994A (en) | Elementary stream partial encryption | |
| JP2005516559A5 (en) | ||
| HK1111531B (en) | Method and system providing scrambled content | |
| KR100924053B1 (en) | Partial Encryption of Critical Packets | |
| KR101053376B1 (en) | Time Division Partial Encryption | |
| JP4000809B2 (en) | Encryption / decryption device | |
| KR101029427B1 (en) | Elementary Stream Partial Encryption | |
| HK1148629B (en) | Critical packet partial encryption |